Re: Question of Likelihood

[Pete Herzog <lists () isecom org>]

Hi,

Have you looked into the OSSTMM ravs- attack surface classification 
and metrics? It would help you categorize the order in the way you 
want here- by what they do and not some guessed weighting or priority 
system. Basically it would let you prioritize by 5 vulnerability 
classifications and that way if something provides access in any way 
it's classified as a higher priority than something that just gives an 
exposure.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

On 5/14/2012 5:21 AM, Pen Testar wrote:
> I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various 
> injection attacks… you name it.
>
>
> You also have a bunch of vulns that aren’t typically of high likelihood, but in the presence of the other vulns above 
> (I’ll call them the “enabling� vulns), some of these lows are easier to exploit. When you rank, do you rank each 
> vuln independently or in context of others?
>
>
> I can see arguments either way:
> 1.       One opinion may say rank independently as long as the enabling vulns are marked high. That way if the project 
> team can’t fix’em all, then they can focus on the enabling ones and that'll naturally bring the others down to low. 
> You also don’t want to hand them a report with too many highs as not appear like an alarmist and lose credibility.
> 2.       The other opinion may say rank it high because this is the truth in view of the current posture of the 
> application.
>
> What’s the common practice out there?
>
> Thanks
> Pentestar Â
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------